CVE-2026-26005 Overview
CVE-2026-26005 is a Server-Side Request Forgery (SSRF) vulnerability affecting ClipBucket v5, an open source video sharing platform. Prior to version 5.5.3 - #45, the Remote Play feature allows users to create video entries that reference external video URLs without uploading video files directly to the server. However, by specifying an internal network host in the video URL, an attacker can trigger SSRF, causing GET requests to be sent to internal servers. This vulnerability can be exploited to scan internal network infrastructure and potentially access sensitive internal resources.
Critical Impact
Low-privileged users can exploit the Remote Play feature to perform internal network reconnaissance and potentially access internal services that should not be externally reachable.
Affected Products
- ClipBucket v5 prior to version 5.5.3 - #45
- ClipBucket v5 installations with Remote Play feature enabled
- Self-hosted ClipBucket v5 deployments with access to internal network resources
Discovery Timeline
- 2026-02-12 - CVE CVE-2026-26005 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2026-26005
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The flaw exists in the Remote Play functionality of ClipBucket v5, which enables users to link external video URLs instead of uploading files directly. The application fails to properly validate whether the provided URL points to an external, public resource versus an internal network address.
When a user submits a video URL through the Remote Play feature, the server processes this URL and makes outbound HTTP GET requests to fetch video metadata or content. Without proper validation, an attacker can supply URLs targeting internal network addresses such as http://192.168.1.1, http://10.0.0.1, http://localhost, or internal hostnames. This allows the attacker to use the ClipBucket server as a proxy to reach internal services that are not exposed to the public internet.
The vulnerability is particularly concerning because even regular, non-privileged users with basic accounts can carry out the attack, significantly lowering the barrier to exploitation.
Root Cause
The root cause of this vulnerability is insufficient URL validation in the upload/actions/remote_play_send_form.php file. The original code only performed basic URL format validation using filter_var() with FILTER_VALIDATE_URL, which verifies that the URL is syntactically correct but does not check whether the destination host is internal or external.
The vulnerable code accepted any valid URL format without checking:
- Whether the resolved IP address belongs to private or reserved ranges
- Whether the hostname resolves to internal network addresses
- Both IPv4 and IPv6 DNS records that could bypass single-stack filtering
Attack Vector
The attack is network-accessible and requires low privileges (basic user authentication). An attacker can exploit this vulnerability by:
- Authenticating as a regular user on the ClipBucket platform
- Navigating to the Remote Play video upload feature
- Supplying a malicious URL pointing to internal network resources (e.g., http://192.168.1.1:8080/admin, http://10.0.0.50/internal-api)
- Observing the server's response to determine internal host availability and potentially extract information
$video_url = $_POST['remote_play_url'] = $_POST['remote_play_file_url'];
unset($_POST['remote_play_file_url']);
if (filter_var($video_url, FILTER_VALIDATE_URL) === FALSE) {
- echo json_encode(['error'=>lang('remote_play_invalid_url')]);
+ echo json_encode(['error' => lang('remote_play_invalid_url')]);
die();
}
+$parts = parse_url($video_url);
+if (!$parts || empty($parts['host'])) {
+ echo json_encode(['error' => lang('remote_play_invalid_url')]);
+ die();
+}
+
+$host = $parts['host'];
+$ipv4 = gethostbyname($host);
+if (!filter_var(
+ $ipv4,
+ FILTER_VALIDATE_IP,
+ FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
+)) {
+ echo json_encode(['error' => lang('remote_play_invalid_url')]);
+ die();
+}
+
+$records = dns_get_record($host, DNS_A + DNS_AAAA);
+foreach ($records as $record) {
+ if (isset($record['ip']) && !filter_var($record['ip'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
+ echo json_encode(['error' => lang('remote_play_invalid_url')]);
+ die();
Source: GitHub Commit Update
Detection Methods for CVE-2026-26005
Indicators of Compromise
- Unusual outbound HTTP requests from the ClipBucket server to internal IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Multiple Remote Play video submissions from a single user with URLs targeting internal hostnames or IP addresses
- Application logs showing failed or successful connections to internal services that should not be accessed by the web application
Detection Strategies
- Monitor web application logs for Remote Play requests containing private IP addresses or localhost references
- Implement network-level monitoring to detect outbound connections from the ClipBucket server to internal network segments
- Configure web application firewall (WAF) rules to alert on URL parameters containing internal IP patterns
- Review user activity logs for suspicious patterns of Remote Play submissions targeting sequential internal addresses (indicative of network scanning)
Monitoring Recommendations
- Enable detailed logging for the remote_play_send_form.php endpoint and related Remote Play functionality
- Configure alerting for outbound connections from the web server to RFC 1918 private address spaces
- Implement rate limiting on Remote Play submissions to slow down potential network scanning activities
- Deploy SentinelOne Singularity Platform to monitor for anomalous network behavior and SSRF attack patterns
How to Mitigate CVE-2026-26005
Immediate Actions Required
- Upgrade ClipBucket v5 to version 5.5.3 - #45 or later immediately
- If upgrade is not possible, temporarily disable the Remote Play feature until the patch can be applied
- Review server logs for evidence of SSRF exploitation attempts
- Audit any internal services that may have been accessed through this vulnerability
Patch Information
The ClipBucket development team has released a security patch in version 5.5.3 - #45 that addresses this vulnerability. The fix implements comprehensive URL validation including:
- Parsing the URL to extract the hostname
- Resolving the hostname to IP address using gethostbyname()
- Validating that the resolved IP is not in private or reserved ranges using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
- Checking both IPv4 (DNS_A) and IPv6 (DNS_AAAA) records to prevent DNS rebinding attacks
For detailed patch information, refer to the GitHub Security Advisory GHSA-69xj-2pq3-5r4v and the security commit.
Workarounds
- Disable the Remote Play feature by restricting access to upload/actions/remote_play_send_form.php at the web server level
- Implement network segmentation to limit the ClipBucket server's ability to reach internal resources
- Configure egress filtering on the firewall to prevent the web server from initiating connections to internal network ranges
- Deploy a reverse proxy with URL filtering capabilities to block requests containing internal IP patterns before they reach the application
# Apache configuration to disable Remote Play endpoint
<Location /actions/remote_play_send_form.php>
Require all denied
</Location>
# Nginx configuration to disable Remote Play endpoint
location /actions/remote_play_send_form.php {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
